Minutes of the meeting of the Audit and Compliance Committee of the Board of Directors of the Cook County 
Health and Hospitals System held Tuesday, January 17, 2012 at the hour of 9:30 A.M., at 1900 West Polk 
Street, in the Second Floor Conference Room, Chicago, Illinois. 

I. Attendance/Call to Order 

Chairman Munoz called the meeting to order. 

Present: Chairman Luis Munoz, MD, MPH and Directors Benn Greenspan, PhD, MPH, FACHE and 

Heather O’Donnell, JD, LLM (3) 

Board Chairman Warren L. Batts (Ex-Officio Member) and Director Hon. Jerry Butler 

Absent: None (0) 

Additional attendees and/or presenters were: 

Cathy Bodnar - System Chief Compliance Officer 
Helen Haynes - System Associate General Counsel 
Jeff Kitchen - McGladrey & Pullen, LLP 
Ram Raju, MD, MBA, FACS, FACHE - Chief 
Executive Officer 

II. Public Speakers 

Chairman Munoz asked the Secretary to call upon the registered speakers. 

The Secretary responded that there were none. 

III. Report from System Corporate Compliance Officer (Attachment # 1) 

A. Activity Report 

Cathy Bodnar, System Corporate Compliance Officer, presented the Annual Report of the Office of 
Corporate Compliance. Also presented was the Activity Report and projected Work Plan for FY2012. 
The Committee reviewed and discussed the information. 

Ms. Bodnar informed the Committee of a current Compliance issue, involving an individual identification 
information breach that recently occurred. The System’s Human Resources Department received a 
request from a County department/agency for copies of dual employment forms on file for physicians. A 
box containing copies of these forms was to be shipped from the System’s Human Resources Department 
to the downtown County Building; however, this box was not delivered, and was lost. Some of the dual 
employment forms contained the physicians’ Social Security numbers. As a result of this incident, the 
System has provided one year of credit monitoring for each of the physicians whose forms contained their 
Social Security number; for those physicians whose form did not contain their Social Security number, 
information was provided regarding how to set up a fraud alert warning within their credit account. 

Chairman Munoz inquired regarding the timeline for electronic Compliance training for employees. Ms. 
Bodnar stated that it is planned to be rolled-out in the first quarter of 2012. She expects that the roll-out to 
the population should be completed by February; it should be up and running no later than June 2012. In 
response to Chairman Munoz’ inquiry regarding the ramifications for those employees who do not comply 
with the Compliance training, Ms. Bodnar stated that a policy is needed to address that issue. 


Elizabeth Reidy - System General Counsel 

Deborah Santana - Secretary to the Board 

Thomas Schroeder - System Director of Internal Audit 


Page 1 of 38 



Audit and Compliance Committee Meeting Minutes 
Tuesday, January 17, 2012 
Page 2 


III. Report from System Corporate Compliance Officer (continued) 

Director Greenspan, seconded by Director O’Donnell, moved to receive and file the 
Annual Report of the Office of Corporate Compliance. THE MOTION CARRIED 
UNANIMOUSLY. 


IV. **Report f rom System Director of Internal Audit (Attachment # 1) 

A. Activity Report 

Tom Schroeder, System Director of Internal Audit, provided a report on the following subjects: 2011 
Internal Audit Accomplishments; and review of Internal Audit’s Charter. The Committee reviewed and 
discussed the information. 

Mr. Schroeder noted that the Internal Audit Charter was approved and adopted in March 2010. The 
Charter should be reviewed periodically and revised as needed; it is then signed-off by the Chair of the 
Committee, Chief Executive Officer and the Director of Internal Audit. Mr. Schroeder did not 
recommend any revisions to the Charter at this time; he stated that he would forward the Charter to the 
respective parties for their signature. 


V. Recommendations, Discussion/Information Item 

A. Update from RSM McGladrey & Pullen, LLP on FY2011 Audit activities 

Jeff Kitchen, Partner at McGladrey & Pullen, LLP, provided an update on FY2011 Audit activities. He 
stated that the kick-off meeting for the Health portion of the Audit is planned for this Thursday. The plan 
is to kick-off internal control-related testing and reviews in early February, and to begin the audit of 
substantive account balances in mid to late February; that work will continue on through the end of 
March. The objective is to have a very solid draft of the Health System financial statements by mid-April, 
in order to reach the County’s goal of having FY2011 County-wide audited financial statements issued by 
the end of May 2012. 

Dr. Ram Raju, Chief Executive Officer, referenced consultant services that had been provided to the 
System in the recent past by the staff of RSM McGladrey; he requested that the McGladrey staff 
responsible for the audit work be independent from and not include those McGladrey staff who were 
previously involved in the consultant work. 


VI. Action Items 

A. Minutes of the Audit and Compliance Committee Meeting, November 29, 2011 

Director O’Donnell, seconded by Director Greenspan, moved to accept the minutes of the 
Audit and Compliance Committee Meeting of November 29, 2011. THE MOTION 
CARRIED UNANIMOUSLY. 

B. Any items listed under Sections V, VI and VII 
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VII. Closed Session Discussion/Information Items 

A. **Report from System Director of Internal Audit 

B. Discussion of Personnel Matters 


Director Greenspan, seconded by Chairman Munoz, moved to recess the regular session 
and convene into closed session, pursuant to the following exception to the Illinois Open 
Meetings Act: 5 ILCS 120/2(c)(l), regarding “the appointment, employment, 

compensation, discipline, performance, or dismissal of specific employees of the public 
body or legal counsel for the public body, including hearing testimony on a complaint 
lodged against an employee of the public body or against legal counsel for the public 
body to determine its validity,” and 5 ILCS 120/2(c)(28), regarding “meetings between 
internal or external auditors and governmental audit committees, finance committees, and 
their equivalents, when the discussion involves internal control weaknesses, identification 
of potential fraud risk areas, known or suspected frauds, and fraud interviews conducted 
in accordance with generally accepted auditing standards of the United States of 
America.” THE MOTION CARRIED UNANIMOUSLY. 

Chairman Munoz declared that the closed session was adjourned. The Committee 
reconvened into regular session. 


VIII. Adjourn 

As the agenda was exhausted, Chairman Munoz declared the meeting ADJOURNED. 

Respectfully submitted, 

Audit and Compliance Committee of the 

Board of Directors of the 

Cook County Health and Hospitals System 


xxxxxxxxxxxxxxxxxxxxxx 

Luis Munoz, MD, MPH, Chairman 

Attest: 


XXXXXXXXXXXXXXXXXXXXXX 
Deborah Santana, Secretary 
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I. Introduction 

In Fiscal Year (FY) 2009, Cook County Health & Hospitals System (CCHHS) re-established the Corporate 
Compliance Office. The motivation for creating this office was to bring a System perspective to Compliance related 
activities. Cathy Bodnar, MS, RN, CHC was appointed the Chief Compliance Officer in September, 2009. 

This Annual Report presents the activities of the second year of the System Corporate Compliance Office and 
demonstrates the effectiveness of our program by looking at the infrastructure, communication strategy, and 
evaluating the program using the seven (7) Compliance Program Elements of a comprehensive compliance program 
delineated by the Office of Inspector General (OIG) in 1998. 

CCHHS has established a Mission, “To deliver integrated health services with dignity and respect regardless of a 
patient’s ability to pay; foster partnerships with other health providers and communities to enhance the health of the 
public; and advocate for policies which promote and protect the physical, mental and social well being of the people 
of Cook County.” 

The Corporate Compliance Office supports the CCHHS’ Mission with a departmental Mission: 

To uphold the mission, vision, and core goals of Cook County Health & Hospitals System (CCHHS) by 
establishing and supporting a system-wide culture of honesty and respect to guide everyone’s actions by 
-> Developing standards 
Increasing awareness 

-> Promoting honest behavior and professional responsibility 
through education, awareness, and shared accountability that promotes compliance with applicable laws, 
regulations, and System policies. 

CCHHS has established a Vision, “In support of its public health mission, CCHHS will be recognized locally, 
regionally, and nationally - and by patients and employees - as a progressively evolving model for an accessible, 
integrated, patient-centered, and fiscally-responsible healthcare system focused on assuring high-quality care and 
improving the health of the residents of Cook County.” 

To support CCHHS' Vision, the Vision of the Corporate Compliance Office is: 

To ensure safeguards are in place for our patients, our staff, and the public at large, the Corporate Compliance 
Program will be a resource to everyone affiliated with Cook County Health & Hospitals System. 

(For the purposes of this statement, “affiliated” is defined as all employees, medical staff, house staff, Board 
members, volunteers, students, patients, partners, consultants, agency personnel, and vendors.) 


II. Building Blocks - Setting Infrastructure 

The Annual Report begins with a look at the activities of the Program that comprise our efforts to establish an 
infrastructure to deliver a comprehensive compliance program. As noted earlier, the System Compliance Program 
was established in 2009 with the hiring of a Chief Compliance Officer. The Program added a Compliance 
Coordinator in February, 2010 and an Associate Compliance Officer in September, 2010. Attempts to hire a System 
Privacy Officer were conducted throughout FY10 and into FY11. A qualified candidate was selected early in FY11, 
unfortunately the candidate subsequently declined the appointment. At that point an external recruiter was engaged. 
Recruitment activities ceased in early summer 2011, when qualified candidates were not forthcoming. Critical 
examination of the functionality of Corporate Compliance operations, reviewing both the internal and external 
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environment and the candidate market, has occurred. Modifications to the existing departmental structure are being 
considered. 

Current Compliance Organization Chart 



Corporate Compliance Program Scope 

The CCHHS activities that fall into the Corporate Compliance Scope were established as: 

■ Accurate Books and Records 

■ Anti-kickback 

■ Conflict of Interest 

■ Emergency Medical Treatment and Labor Act (EMTALA) 

■ False Claims 

■ Healthcare Fraud and Abuse 

■ Marketing and Purchasing 

■ Patient Privacy, Confidentiality, and Security (HIPAA) 

■ Political Activity (including Shakman Compliance) 

■ Research 

■ Theft 


III. Being Present - Communication - Fostering Transparency 
A. Communication Strategy 

Developed an organizational communication strategy to increase employee awareness of the following 
topics: 

■ Definition and scope of compliance; 

■ Staff conduct (Standards of Conduct); 

■ Compliance toll-free hot line awareness; 

■ Responsibility to report potential/actual issues; 
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■ Consequences of not reporting; 

■ Non-retaliation process; 

■ Accessibility of the Compliance Officer and Program; and 

■ Privacy, Confidentiality, and Security. 

B. Communication Channels 

Communicated about general corporate compliance information, toll-free hot line, HIPAA Protected Health 
Information (PHI), HIPAA privacy and security, HIPAA sanctions, political activity prohibitions, and Shakman 
compliance in multiple formats: 

■ Posters; 

■ Flyers; 

■ Payroll inserts; 

■ Compliance Program business cards; 

■ Pens with the compliance hot line number; 

■ Privacy Protector wrist bands; 

■ Compliance Program magnets; 

■ Attendance/presence at team meetings; and 

■ Continual update of Compliance Intranet site. 

C. Corporate Compliance Intranet Site 

Optimized intranet webpage to ensure employees and physicians have easy access to guidance and tools. 


Tuesday, January 03,2012 



COOK COUNTY HEALTH 
A HOSPITALS SYSTEM I 

CC.tHSl 


We Bring Health CARE to Your Community 






CCHHS ACHN Cermak Health Services Oak Forest Health Center Provident Hospital Stroger Hospital Help 


CCHHS -> Compliance 


Nursing 

Clinician 

Pharmacy 

Alaris/CareFusion 

Documentation 

Information 

Services 

Training 


Contact Us 


Issues Brought to the Attention of Corporate 
Compliance (Dec 2010 thru Aug 2011) 


Hot Line Phone 1-866-489-4949 Hot Line Link internet Reporting 
Office 1900 W Polk, Suite 123 Chicago, II 60612 

E-mail compliance@cookcountyhhs.org 


Chief Compliance Officer 
Cathy Bodnar 

ctoodnar@cookcountyhhs.org 

Interim Privacy Officer 

Suzi Birz 

stoirz@cookcountyhhs.org 


Associate Compliance Officer 
Dianne Willard 

dwillard@cookcountyhhs.org 

Compliance Coordinator 
Nora H Koch 

nkoch@cookcountyhhs.org 


Compliance News 


Title Description 

~ CMS imposes S4.3 million for HIPAA violations ” City employee loses 

_ Q1 , job over medical record breach ” Employee snooping causes 
^ penalties to be imposed ” 

Spring Prosecutors indict hospital employee ” Women admits selling patient 
2011 information ** Missing laptop containing patient information ” 


HIPAA Refresher Course 



ReanicK 

< 0 % 


CCHHS 

* Standards of Conduct 

? 2011 Audit & Compliance Committee - Meetings 
Minutes & Agendas 

System Policies and Procedures 

? Link to Compliance & HIPAA Policies 


Compliance & Ethics Awareness 

? HIPAA...Your Responsibilty & Duty 


? Corporate Compliance Program 

f Corporate Compliance Reporting to the Governance 
Authorities of CCHHS 


? Hot Line Definitions 
? Hot Line FAQs 
? PHI - Patient labels contain 


? ** New Policies ” - HPAA - Use or Discllosure of PHI for 
Research ** HIPAA - Guidance for Clinical Research ” Medical 
Records - Subpoena Request “ Conflict of Interest ” Service 
Animals ** Non-Retaliation” Updated Notice of Privacy 
Practices” 


? Privacy Violations Q & A 


Cook County Government 
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The content of the compliance intranet page continues to evolve with the goal to promote transparency. The page 
includes the information that follows: 

■ Contact Information; 

■ Compliance News Nationally; 

■ Compliance and Ethics Awareness Documentation; 

■ Audit and Compliance Committee Meetings - Agenda and Minutes; 

■ Links to System Policies and Procedures; 

■ Cook County Government Documentation and Forms; and 

■ Graphic Illustrating Issues Brought to the Attention of Corporate Compliance. 

D. Focused Efforts 

Throughout FY11, Corporate Compliance provided support and subject matter expertise for various 
compliance issues to many departments and affiliates. The list that follows identifies a number of specific 
areas: 

■ CCHHS Board of Directors ■ Internal Audit 

■ Senior Leadership ■ Finance 

■ Operational Leadership ■ Emergency Department 

■ Office of the General Counsel ■ Interventional Radiology 

■ Health Information Management ■ Marketing and Public Relations 

■ Human Resources ■ Pastoral Care Services 

■ Information Services ■ Volunteer Services 


IV. Compliance Program Structure: Our Performance of the Elements 
Element 1 

The development and distribution of written standards of conduct, as well as written policies and procedures that 
promote the hospital’s commitment to compliance (e.g., by including adherence to compliance as an element in 
evaluating managers and employees) and that address specific areas of potential fraud, such as claims development 
and submission processes, code gaming, and financial relationships with physicians and other healthcare 
professionals. 

A. Policies and Procedures 

1. Developed and Implemented System Policies 

Progress continued on drafting and vetting System policies related to compliance with governance, 
HIPAA, conflict of interest, and general Compliance. The following policies were approved in FY11: 

00.01.00 Policy Management 

01.02.40 Privacy Management 

00.02.00 Conflict of Interest 

01.02.10 Sending and Receiving Faxes 

01.02.16 HIPAA: Requesting Alternative Communications 

01.02.18 HIPAA: Use or Disclosure of PHI for Research 

01.02.20 Social Media: Workforce Use and Conduct 

01.02.21 Medical Records: Subpoena Request 
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01.02.45 HIPAA: Business Associates 
01.02.55 HIPAA: Definitions 
01.03.40 Reporting and Non-Retaliation 

In response to amendments in HIPAA as a result of the HITECH Act, the CCHHS Notice of Privacy 
Practices was updated. New Notices are available to our patients in hard copy at our facilities, on our 
website, and within the 1 st Quarter FY 2012, new Notice of Privacy Practices posters will be replaced 
throughout the System. 

2. Work Plan Activities - Ensuring Compliance with Policies and Procedures 

In FY11, Corporate Compliance worked with operational areas to assess compliance with our 
procedures and, in certain instances, assist in the development of new policies. 

■ Sanction Screening Checks 

Addressed regulatory requirements to avoid employing, engaging, contracting or agreeing with 
any individual or entity who is excluded or “sanctioned” from participation in a federal 
healthcare program or who is debarred from participation in federal procurement or non¬ 
procurement programs for the provision of goods or services. This is an ongoing project for 
both CCHHS employees and vendors initiated in early FY10. 

■ Business Associate Agreements 

Updated Business Associate Agreements in compliance with both the HIPAA Privacy and 
Security Rules and amended in the Health Information Technology for Economic and Clinical 
Health (HITECH) Act of the American Recovery and Reinvestment Act. All active CCHHS 
vendors classified as Business Associates were required to endorse the updated Business 
Associate Agreement. 

■ Information System Security Plan Review 

Provided input into a global, system-wide information security plan developed internally by 
CCHHS’ Information Security Officer, the plan uses government guidance as a foundation. It 
incorporates the three (3) essential elements: operational, technical, and managerial to 
ensure the confidentiality, integrity, and availability of healthcare and patient data. 

■ Proactive Coding Review - Radiology Procedures 

Performed a review of documentation and independently assigned codes, compared the 
codes assigned to the documentation, and identified variances. Determined documentation 
does exist; additional detailed documentation is needed to improve coding specificity. 
Communicated findings to the providers within the operational area; operations subsequently, 
requested a follow up review. 

■ Proactive Coding Review - Chemotherapy 

Partnered with Internal Audit to provide coding compliance expertise. Performed a review of 
documentation and independently assigned codes, compared the codes assigned to the 
documentation, and identified variances. Determined documentation does exist; process 
improvement needed for uniform, detailed, timely documentation to meet the coding/billing 
requirements. In the sample reviewed, coding performed by coders in Health Information 
Management (HIM) paralleled Corporate Compliance coding. Challenges exist with 
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medication coding which is not assigned by HIM. Finance aware of the challenges and 
revisions to the workflow are in process. 

■ Unlawful Political Activity (Shakman) 

Transitioned incident reporting from CCHHS Corporate Compliance to Cook County’s Office of 
the Independent Inspector General. The transition was part of a county-wide effort to 
systematize Unlawful Political Discrimination (UPD). This transition factors into the effort to 
sunset the Compliance Administrator. Directly involved in the dissemination of 
communications to support this effort and provided system-wide education. 

■ Record Retention 

Drafted System Record Retention Policy using individual policies throughout the System and 
the parameters set forth by the Illinois Local Records Act. The critical element of the policy is 
the actual retention matrix which will supplement the policy and provide retention guidance to 
the System. Using the Illinois Hospital Association’s Record Retention Reference and the 
current retention material filed with the state of Illinois, an authoritative source document is in 
development. 

■ Patient’s Bill of Rights and Responsibilities 

Merged key elements from Patient's Bill of Rights and Responsibilities documents found within 
individual business units to develop a uniform, system-wide, patient-centered document. The 
end product was reviewed in accordance with regulatory guidance to ensure compliance. 
Provided content to Marketing and Public Relations team for brochure and signage 
development. 

■ Service Animals 

Developed a uniform, system-wide, patient-centered policy. Incorporated updated regulatory 
guidance and key elements from policies found throughout the organization. Provided 
language to Marketing and Public Relations team for signage development. 

■ Standards of Conduct 

Drafted an updated Standards of Conduct that incorporated Cook County’s Ethics Ordinance. 
The elements of the CCHHS Code meets or exceeds the Ethics Ordinance elements. At 
present, engaging stakeholders to provide input into the document. 


Element 2 

The designation of a Chief Compliance Officer and other appropriate bodies, e.g., a corporate compliance committee, 
charged with the responsibility of operating and monitoring the compliance program, and who reports directly to the 
CEO and the governing body. 

B. Compliance Office and Committees 

Cathy Bodnar, the Chief Compliance Officer, reports to both the CCHHS Board Audit & Compliance 
Committee and the CCHHS Chief Executive Officer. In turn, the CCHHS Board Audit & Compliance 
Committee and the CCHHS Chief Executive Officer each report to the CCHHS Board of Directors. 
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The primary duties of the Chief Compliance Officer were established to include the following: 

■ Serving as an internal consultant and resource for compliance matters; 

■ Overseeing and monitoring the ongoing functions of the Corporate Compliance Program; 

■ Participating in regular, CCHHS-wide risk assessments to understand potential vulnerabilities; 

■ Serving as the Privacy Officer for CCHHS to assure compliance with HIPAA regarding protection of 
patient health information; 

■ Reporting on a regular basis to the CCHHS governing bodies; 

■ Periodically revising the Corporate Compliance Program, with input from the Audit & Compliance 
Committee of the Board of Directors and Executive Management in light of changes directed to the 
needs of CCHHS and the laws and policies of federal, state, and county bodies; 

■ Developing, coordinating and participating in training programs that focus on the elements of the 
Corporate Compliance Program and providing training such that workforce members are 
knowledgeable of and comply with the Standards of Conduct, compliance policies, laws and 
regulations; 

■ Coordinating and overseeing compliance auditing and monitoring activities; 

■ Responding to reports of issues or suspected violations related to compliance by independently 
investigating these matters, as appropriate, and working with department managers, Human 
Resources, and General Counsel in the determination of corrective action that must be taken; 

■ Assuring, through consultation with Human Resources and General Counsel, that the CCHHS 
disciplinary policies and actions are applied fairly, equitably, appropriately, and consistently; and 

■ Developing policies and programs that encourage CCHHS personnel to report suspected fraud and 
other improprieties without fear of retaliation or retribution. 
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The Audit & Compliance Committee of the Board of Directors advises the Board regarding the 
implementation of standards and processes to assure professional responsibility and honest behavior, 
compliance with regulatory requirements, and risk management. 

An Audit & Compliance Steering Committee was established late in FY10. The primary objectives and 
responsibilities of this internal group of organizational leaders are to: 

■ Provide guidance to the corporate compliance and internal audit programs by promoting and 
supporting a culture of professional responsibility, honesty, and respect; 

■ Assist in the strategic direction of the organization with regard to compliance and internal audit 
matters; 

■ Provide advice and guidance to the Chief Compliance Officer and the System Director of Internal 
Audit in the accomplishment of his/her duties; 

■ Monitor the effectiveness of the corporate compliance and internal audit programs; 

■ Assist the Chief Compliance Officer and the System Director of Internal Audit in analyzing the 
healthcare industry compliance, financial, legal and risk environment and developing policies, 
procedures and systems to ensure compliance with applicable laws, regulations and guidelines; 

■ Review the System’s annual corporate compliance and internal audit work plans; 

■ Review issues, concerns and trends identified internally and externally, in particular those identified 
as presenting a significant risk to the organization; 

■ Recommend to the Chief Compliance Officer and System Director of Internal Audit and the Audit 
and Compliance Committee and the Board, as appropriate, actions or measures that it deems 
appropriate to improve the effectiveness of the corporate compliance and internal audit program; 

■ Carry out other duties that the Audit and Compliance Committee or the Board may delegate to the 
Committees; and 

■ Review and reassess this Charter every two years or more frequently as circumstances warrant, to 
ensure it remains relevant to the overall purpose of the Committee. 

The Ad Hoc Work Group on Corporate Compliance was charged with providing direction to the System 
Compliance Program. 

Responsibilities include providing oversight on unrestricted compliance program activities; this 
includes, but is not limited to, guidance on the mission and vision of the compliance program, the 
Standards of Conduct, compliance communications, and education and training for the community 
in general along with CCHHS personnel. 

The Group consisted of both internal and external members. The Group did not meet as a whole 
within FY 2011. The inactivity now triggers an evaluation of its ongoing existence. The Audit and 
Compliance Steering Committee is comprised of internal leaders. Therefore consideration should 
be given to the assembly of external leaders to provide an additional form of a check and balance. 

In addition to the committee relationships: 

■ A formal cooperative collaboration agreement between the CCHHS Office of Corporate 
Compliance and the County's Office of the Independent Inspector General (OIIG) was 
implemented in FY11. This partnership provides investigative support to Corporate Compliance. 
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Element 3 

The development and implementation of regular, effective education and training programs for all affected 
employees. 

C. Education and Training 

1. New Employee Orientation 

■ Presented an “Introduction to Corporate Compliance and HIPAA”, at over twenty (20) New 
Employee Orientation sessions and five (5) Volunteer Sessions. 

■ Separately trained new resident and fellows on Corporate Compliance and Privacy. Developed on¬ 
line material to provide more detailed Compliance and Privacy education which included a review 
of Standards of Conduct, and an electronic attestation to follow our policies, procedures, and 
compliance with our Standards. 

2. Targeted Education 

Provided audience specific education based on identified risks as follows: 

■ Provided specialty HIPAA education to operational areas: 

s Cook County Department of Public Health 
■S Human Resources 
s Revenue Cycle 
■S JHSH Patient Relations 
s CCHHS Providers at Oak Forest Hospital 
■S Department of Psychiatry 

■ Sent a broadcast message in partnership with Risk Management regarding the use of e-mail 
for transmitting Protected Health Information to all users of the CCHHS voice mail system. 

■ Provided training on Unlawful Political Discrimination to department directors and providers 
throughout the System. 

3. Unlawful Political Discrimination (UPD) 

Presented county-wide UPD training to organizational leadership and disseminated a county-wide log 
to further the goal of eliminating unlawful political discrimination in government and to foster a 
transparent, honest and fair employment process. 

4. Interim Annual Compliance Education 

Developed the content for a computer-based training module for Compliance and Privacy. Challenges 
presented with tracking and reporting. The training will be updated and migrated to a new electronic 
learning platform within FY12. 

5. Computer-Based Training 

Issued an RFP, selected and contracted with a vendor to provide content for Compliance and Privacy 
training. The product has a platform to not only house the Compliance and Privacy content but also to 
house any CCHHS content. Once implemented, system-wide organizational training will be managed 
in one central repository. 
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At the close of FY11, the following activities were completed to position CCHHS for a launch of 
computer-based training in 1 st Quarter FY 2012. 

■ Identified the human resources data requirements, 

■ Determined first modules to be deployed, 

■ Determined additional subjects/departments to roll-out computer-based training, and 

■ Customized courses to meet CCHHS Compliance and Privacy needs. 


Element 4 

The maintenance of a process, such as a hotline, to receive complaints, and the adoption of procedures to protect 
the anonymity of complainants and to protect whistleblowers from retaliation. 

D. Effective Lines of Communication - Receiving and Responding to Complaints 

1. Infrastructure Activities 

a. Assisted our patients, employees, and physicians, by retaining the following mechanisms for 
contacting Corporate Compliance through 

■ A toll-free hot line telephone number answered by a third party to preserve anonymity 
if desired. The caller is given a code number related to the matter, and can call back 
or check the website using that code number to review comments and updates. 

■ A separate toll-free telephone number for privacy breaches. 

■ Two (2) e-mail addresses for Compliance (compliance@cookcountvhhs.org) and 
Privacy (privacv@cookcountvhhs.org) . 

b. Established relationships and engaged internal and external resources to assist with 
investigations throughout the CCHHS and Cook County. 

c. Identified trends and patterns to mitigate organizational risks. 

d. Presented trends and patterns to the Audit and Compliance Committee of the Board. 

2. Process for Responding to Issues and Complaints 

Retained process for issue, complaint management, and resolution as follows: 

a. Investigate the allegation and confirm the details, 

b. Determine the area affected, 

c. Collaborate with appropriate departments, 

d. Review and follow organizational policy, federal, state, and county regulations related to the 
incident for mitigation and remediation. These may include further auditing of documentation, 
sending a notification and apology letter to the patient, notifying the Centers for Medicare and 
Medicaid (CMS), notifying the media, and, mitigating harm to the patient (to the extent 
possible), 

e. Determine and execute a corrective action plan, and 

f. Respond to the complainant. 
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3. Responding to Complaints from the US Department of Health and Human Services Office for Civil 
Rights (OCR) 

Received two (2) complaints from OCR in FY11; each compliant alleged unauthorized disclosure of 
Protected Health Information. Corporate Compliance conducted detailed investigations for each 
complaint. For one of the complaints, it is the CCHHS position that the disclosure was permitted under 
HIPAA and for the other, confirmed that an unauthorized disclosure did occur. In this instance, 
mitigation to remediate the situation occurred. 

4. Reporting 

Issue categories have been identified to allow the Program to most accurately measure compliance 
with the Standards of Conduct. 

■ Accurate Books and Records 

■ Conflict of Interest 

■ False Claims 

■ Healthcare Fraud and Abuse 

■ HIPAA Privacy, Confidentiality and Security 

■ Human Resources 

■ Political Activity 

■ Research 

■ Theft 

5. FY11 Statistics 



FY111ssue Count by Category io% 


Privacy (HIPAA) 

106 


Healthcare Fraud 

11 


Political Activity 

8 


Other 

40 

Conflict of Interest 

27 


Accurate Books 

9 


Theft 

6 




Human Resources 

25 


False Claims 

9 


Research 

1 





At the start of FY11,10 issues remained active or in process from FY 2010. Therefore, a total of 252 issues 
were active within FY11. At 44%, Privacy (HIPAA) was the largest reactive issue category in FY11. There 
were 20 confirmed breaches. The breaches resulted in approximately 32,400 patient notifications. The 
majority, over 32,000, were a result of a breach by a Business Associate. 
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Of the 252 active issues, 237 or 94% were resolved. Of the 237 resolved issues, 16% or 40 issues were 
referred for follow-up and management outside Corporate Compliance. 



74% 

4% 

16% 


■ Managed Internally 

■ Partnered with Another Area 

■ Referred to Another Area 


Element 5 

The development of a system to respond to allegations of improper/ illegal activities and the enforcement of 
appropriate disciplinary action against employees who have violated internal compliance policies , applicable statutes, 
regulations or Federal health care program requirements. 

E. Enforcing Standards 

Broadened the scope of Standards enforcement through: 

1. Information System Security Policies. Provided guidance and insights to the newly appointed 
Information Services Officer (ISO). Addressed regulatory requirements to the safeguarding of 
electronic Protected Health Information (ePHI). Reviewed Information System Security Handbooks 
along with an updated Security Standards/Rules of Behavior. 

2. Business Associate Agreements. Compliance contacted all current vendors that qualify as Business 
Associates under HIPAA and HITECH and requested execution of an updated Business Associate 
Agreement. 

3. Conflict of Interest. Provided guidance and developed Conflict Management Plans to preserve the 
integrity of the decision-making process. 

4. Breach Notification. Responsible for the investigation of all instances of lost or stolen patient 
information, including paper and electronic. For all instances in which the data loss constitutes a 
breach as defined by the Breach Notification for Unsecured Protected Health Information; Interim Final 
Rule, the breach notification requirements to the patient, the Secretary of HHS, and the media are 
completed. Corrective action plans are created and executed to improve the processes and counsel 
the physicians and employees involved. 

5. Investigations Resulting in Employee Related Corrective Actions. HIPAA and Conflict of Interest 
complaints were investigated and resulted in employee guidance being provided. 
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Element 6 

The use of audits and/or other evaluation techniques to monitor compliance and assist in the reduction of identified 
problem area. 

F. Auditing and Monitoring 

The Corporate Compliance Program conducted proactive coding audits using the following methodology: 

1. Determine the area in need of a focused review 

2. Identify the time frame and sample size 

3. Conduct review 

s “Blind” review of documentation for coding accuracy based on medical record documentation 
to independently assign codes 

s Compare blind review to data actually coded by HIM (soft-coded) or Charge Master (hard¬ 
coded) and data billed. Compare the codes assigned to the documentation 
■/ Identify variances 

s Identify strengths and weaknesses in process to mitigate risk 

4. Communicate the variance to the operational area(s) 

Element 7 

The investigation and remediation of identified systemic problems and the development of policies addressing the 
non-employment or retention of sanctioned individuals. 

G. Risk Assessment 

Addressed previously identified risks and challenges to meeting the standards of an effective compliance 
program. Activities highlighted in this report minimized risk through the introduction and enforcement of 
policies and standards, proactive auditing, education, and issue investigations with corrective action plans 
as appropriate. 

The course of activities in FY11 has led to the identification of specific risks. Some of these risks may affect 
our patients. The following risks were identified for further assessment in FY12: 

■ Securing Protected Health Information in electronic and paper format through encryption and 
secure storage devices. 

■ Training and obtaining appropriate storage of files containing Protected Health Information 
Transporting paper for individual and departmental use through CCHHS buildings, our educational 
and district partners of Rush and UIC, and off-campus. 

■ Managing clinical revenue for both the facility/technical component and the professional fee 
component. 

■ Assessing Pharmaceutical pricing and billing. 

■ Ensuring appropriate coding and billing practices as Revenue Cycle increases claim generation. 
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V. Looking Ahead _ 

With a solid foundation established, the Corporate Compliance Program will focus on analysis and risk reduction 
related to areas of compliance, implementation of System policies and procedures, and realization of the annual 
compliance education plan. 

These priorities have been established: 

■ Continue to serve as a resource to all our patients, our staff, and the public at large. 

■ Continue to investigate all complaints brought to the attention of the Program. 

■ Continue to perform proactive auditing and monitoring for healthcare services, in both professional and 
facility/technical areas, patient privacy and confidentiality, and policy compliance. 

■ Continue to develop policies to promote compliance. 

■ Deploy system-wide annual compliance education using an e-Learning Management System. 

■ Deploy system-wide conflict of interest data collection tool for annual attestation and reporting changes 
throughout the year. 

■ Implement System record retention policy and procedure. 

■ Publish and distribute an updated Standards of Conduct. 

■ Implement solutions aimed at identifying and resolving preventable risks. 
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Objectives 

■ To file the FY 2011 Corporate Compliance 
Annual Report. 

■ To briefly discuss recent activity. 

■ To present the projected Work Plan 
for FY 2012. 
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FY 2011 to FY 201 0 Comparison 
Compliance Issues (Reactive) 


250 

200 

150 

100 

50 

0 


■ FY 2010 ■ FY 2011 



Patient Privacy, Confidentiality 
and Security are consistently 
our top issues. 



27 



■ FY 2011 ■ FY 2010 
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Compliance Issues (Reactive) 

242 Issues Queried in FY 2011 



16.5% nnc 

10 % 


FY 2011 Issue Count by Category 


Privacy (HIPAA) 106 Healthcare Fraud 11 
Conflict of Interest 27 Accurate Books 9 
Human Resources 25 False Claims 9 


Political Activity 8 
Theft 6 

Research 1 


Other 40 
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Total Issues 

At the start of FY 2011, 10 issues remained active or in process 
from FY 2010. A total of 252 issues were active within FY 2011. 



■ Managed Internally 

■ Partnered with Another Area 

■ Referred to Another Area 


In FY2010 - 69% were 
managed in Compliance 


Of the 252 active issues, 
237 of 94% were resolved. 


Of the 237 resolved 
issues, 16% or 40 
issues were referred 
outside of Corporate 
Compliance. 


In FY2011 -78%were 
managed in Compliance 
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Compliance Work Plan (Proactive) 

FY 2012 Proposed Goals 

■ Continue to serve as a resource to all our patients, our staff, and 
the public at large. 

■ Continue to investigate all complaints brought to the attention of the 
Program. 

■ Continue to perform proactive auditing and monitoring for 
healthcare services, in both professional and facility/technical 
areas, patient privacy and confidentiality, and policy compliance. 

■ Continue to develop policies to promote compliance. 

■ Implement solutions aimed at identifying and resolving preventable 
risks. 
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Compliance Work Plan (Proactive) 

FY 2012 Proposed Goals (continued} 

■ Deploy system-wide annual compliance education using an 
Electronic Learning Management System. 

■ Publish and distribute an updated Standards of Conduct. 

■ Deploy system-wide conflict of interest data collection tool for 
annual attestation and reporting changes throughout the year. 

■ Implement System record retention policy and procedure. 
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Cook County Health and Hospitals System 
Minutes of the Audit and Compliance Committee Meeting 

January 17, 2012 
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Internal Audit Report 


January 17 ,2012 
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Objective 


> To review 2011 Internal Audit Accomplishments 

> To review Internal Audit’s Charter 

> Closed Session 
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2011 In Review 


> Completed transition to a CCHHS staffed internal audit function 
from an outsourced model 

> Completed a risk assessment and developed a 12-18 month 
internal audit plan based on the risk assessment 

> Substantial progress made towards completing the internal audit 
plan 

> Other - staff development, audit directors roundtable 
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Internal Audit Charter 


Significant Sections (complete charter included) 

1. Mission 

2. Role 

3. Professional Standards 

4. Authority 

5. Independence 

6. Accountability 

7. Audit Scope 

8. Responsibility 
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Cook County Health and Hospitals System (CCHHS) 

Internal Audit Charter January 17,2012 

Mission 

Internal Audit is an independent, objective assurance and consulting activity designed to add 
value and improve an organization’s operations. It helps an organization accomplish its 
objectives by bringing a systematic, disciplined approach to evaluate and improve the 
effectiveness of risk management, control and governance processes. 

Internal Audit will align its activities with the mission and strategy of CCHHS. Internal Audit 
will promote good controls and serve as an educational resource to its stakeholders with respect 
to risk management, control and governance processes. Internal Audit will maintain a 
collaborative approach to its work practices and will ensure its work product provides value 
added outputs for its stakeholders. 

Role 

• Internal Audit’s role is determined by the CCHHS Board of Directors through its Audit and 
Compliance Committee. 

• Responsibilities are defined by the CCHHS Board of Directors through its Audit and 
Compliance Committee. 

Professional Standards 

• Internal Audit will govern themselves by adherence to the Institute of Internal Audit’s 
“Code of Ethics”, http://www.theiia.org/guidance/standards-and-guidance/ippf/code-of- 
ethics/english/ 

• The Institute’s “International Professional Practice Framework” shall constitute the operating 
procedures for the department. These documents are considered an addendum to this Charter. 
http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/ 

• Internal Audit will adhere to all CCHHS policies and procedures and all Internal Audit 
procedure manuals. 

Authority 

Internal Audit is authorized to: 

• Have unrestricted access to all functions, records, property and personnel. 

• Have free, open, and timely access to the Chief Executive Officer and the CCHHS Board of 
Directors through its Audit and Compliance Committee. 

• Allocate department resources, set frequencies, select subjects, determine scope of work and 
apply the techniques required to achieve audit objectives. 

• Obtain the necessary assistance of personnel in the organization when performing audits, as 
well as other specialized services from within or outside the organization. 

Independence 

• All audit activities shall remain free of influence by any element in the organization, 
including matters of audit scope, procedures, frequency, timing, or report content, required to 
permit the independence required to render objective reports. 

• Internal auditors shall have no operational responsibility or authority over any activities they 
review. 

• Internal auditors shall not develop or install systems or procedures, prepare records or engage 
in any other activity that they would normally audit. 
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• Internal Audit reports functionally to the CCHHS Board of Directors through its Audit and 
Compliance Committee and administratively to the Chief Executive Officer. 

• Internal Audit periodically reports to the CCHHS Board of Directors through its Audit and 
Compliance Committee and to CCHHS Senior Leadership as outlined in the section on 
Accountability. 

Accountability 

Internal Audit is accountable to the CCHHS Board of Directors through its Audit and Compliance 
Committee and to CCHHS Senior Leadership to: 

• Report significant issues related to the process for controlling the activities of the 
organization, including potential improvements to those processes, and provide information 
concerning such issues through resolution. 

• Provide information periodically on the status and results of the annual audit plan and the 
sufficiency of internal audit resources. 

• Coordinate with and provide oversight of other control and monitoring functions. 

Audit Scope 

The scope of the work of Internal Audit is to determine whether the network of risk management, 

control and governance processes, as designed and represented by management, is adequate and 

functioning in a manner to ensure: 

• Risks are identified and managed. 

• Interaction with various governance groups occurs as needed. 

• Significant financial, managerial and operating information is accurate, reliable and timely. 

• Employee’s actions are in compliance with policies, standards, procedures and applicable 
laws and regulations. 

• Resources are acquired economically, used efficiently, and adequately protected. 

• Programs, plans and objectives are achieved. 

• Quality and continuous improvement are fostered in control processes. 

• Significant legislative or regulatory issues impacting the organization are recognized and 
addressed properly. 

Responsibility 

• Develop an annual audit plan using risk-based methodology, including any risk or control 
concerns expressed by management, and submit the plan to the CCHHS Board of Directors 
through its Audit and Compliance Committee and to CCHHS Senior Leadership for approval. 

• Implement the audit plan and any special requests by the CCHHS Board of Directors, its 
Audit and Compliance Committee, and CCHHS Senior Leadership and management. 

• Maintain a professional audit staff capable of meeting the requirements of this Charter. 

• Establish a quality assurance program whereby the director of internal audit assures the 
operations of internal audit. 

• Perform consulting services in addition to assurance services. Consulting services are defined 
as “advisory and related client services activities, the nature and scope of which are agreed 
with the client and which are intended to add value and improve the organization’s 
governance, risk management and control processes without the internal auditor assuming 
management responsibility.” Examples include counsel, advice, facilitation, and training. 

• Evaluate and assess significant merging/consolidating functions and new or changing 
services, processes, operations and control processes, coincident with their development, 
implementation and/or expansion. 
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• Issue periodic reports to the CCHHS Board of Directors through its Audit and Compliance 
Committee and to CCHHS Senior Leadership summarizing results of internal audit activities. 

• Inform the CCHHS Board of Directors through its Audit and Compliance Committee, and 
CCHHS Senior Leadership of emerging trends and successful practices in internal auditing. 

• Provide the CCHHS Board of Directors through its Audit and Compliance Committee, and 
CCHHS Senior Leadership a list of internal audit measurement goals and results. 

• Assist in the investigation of significant suspected fraudulent activities. 

• Consider the scope of work of the external auditors and regulators for the purpose of 
providing optimal audit coverage at a reasonable cost. 


Dr. Luis Munoz 

Audit and Compliance Committee Chair 


Dr. Ram Raju 
Chief Executive Officer 


Tom Schroeder 
Director of Internal Audit 
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